Tor is untrustworthy! Maybe…but we’re not saying why…

Tor, the onion router, is software intended to increase privacy online by passing data from one Tor user to a another Tor user thus obfuscating the source of the data to the ultimate recipient and even users on the Tor network. As a result of this arrangement, one can set up services that are only accessible from inside the Tor network (such as websites one can only visit while on Tor).

RT pointed out that Tor is funded by the FBI and this funding makes Tor suspicious (“Tor’s developers have been meeting with its agents, briefing them on how to use the technology, even organizing conferences for the Bureau.”) and then went on to make a dramatic claim that requires some unpacking:

“The FBI is always the first to know about vulnerabilities in tor’s code, and also gets a say in when the public finds out about the flaws.” and later “A privilege like this effectively gives the FBI all the time in the world to exploit the weak spot before it is fixed”

The entire RT report (and the reports RT based their report on) rely on guilt by association rather than telling the audience about specific vulnerabilities in Tor’s code and how these vulnerabilities are exploited. It’s important not to fall for fear by association where we should demand detailed examinations of vulnerabilities because we don’t need to settle for less than very specific evidence.

I obtained the documents in 2015. By then I had already spent a couple of years doing extensive reporting on Tor’s deeply conflicted ties to the regime change wing of the U.S. government. By following the money, I discovered that Tor was not grassroots. I was able to show that despite its radical anti-government cred, Tor was almost 100% funded by three U.S. national security agencies: the Navy, the State Department and the BBG. Tor was military contractor with its own government contractor number — a privatized extension of the very same government that it claimed to be fighting.

This was a shocking revelation.

Let’s review some facts: Tor started at the US Navy as a research project and was later turned into a more user-friendly free software program anyone could use (RT points this out). This was always known and is not news, therefore it was not shocking. Later Tor was incorporated into a variant of the Firefox web browser called the “Tor Browser” allowing users to easily substitute this browser for their browser any time they want to browse using Tor.

Firefox and Tor are both free software. Free software means users have the freedom to run, inspect, share, and modify the program. This term is not a reference to price, even though both Firefox and Tor are available at no charge. The implications of this are important for this story: if Tor has a security flaw any user, not just Tor’s developers or sponsors, can inspect the code to find the flaw, modify the code to fix the flaw, run the improved code to run the improved code, and distribute the improved code to help their community. One has these permissions and there is no notification requirement—one can do all of these things without telling anyone except those with whom they share the code. This is the best means we have to make sure all computer users are treated ethically. Everyone deserves the freedom to determine what their computer does and this is the way we practically achieve that, and have done this for decades.

Therefore the FBI is not necessarily “always the first toe know about vulnerabilities in Tor’s code” as RT claimed. We don’t know who else has a copy of Tor’s source code. We don’t know who else (besides Tor’s developers) inspects Tor code, who improves Tor code, who publishes their modifications to Tor at all, or with whom code modifications are shared. The same is true of every free software program. These are all direct implications of software freedom.

But doesn’t this mean we should fear the heavy hand of the FBI?

In politics we have incomplete information so we have to settle for making educated guesses such as where a politician or reporter gets their funding because we’re not always privy to the deals politicians make. If a politician accepts money from weapons contractors, for instance, we expect that politician to promote war because that would be beneficial to their campaign funding. Therefore it’s no surprise if they vote pro-war or otherwise champion invasion and occupation. We connect the dots and say that the individuals in Congress are bought off by business lobbies.

But with computer program source code we can see how a program will operate by reading its source code. We can determine what that program does, how that program works, identify its problems, propose and implement fixes. We can learn to become programmers (that’s how programmers figured out how to read source code). We can hire programmers to do work on our behalf, we can ask programmer friends to do favors for us, and we can easily share the result of a programmer’s work with others. So we don’t need to settle for proxies like Tor developers have undisclosed meetings with shadowy government groups where they discuss Tor.

Investigative journalism regarding free software vulnerabilities requires specific evidence, far more than a vague assertion connecting a free program to a party we might be wise not to trust. Our permission (freedom) to run, inspect, share, and modify the published software means we don’t need to settle for guilt by association and shouldn’t accept an absence of hard evidence.

This quote is given in a suspicious context, but here’s another way to interpret the same words in an entirely different light: Tor purposefully routes data circuitously through multiple other Tor users’ computers before that data reaches the Internet (and similarly going in the other direction from the Internet to a Tor user). Therefore Tor as a project needs a lot of people to run Tor, participating as nodes in the Tor network to make the Tor network function. Thus it is in the Tor project’s interest to get more people to run Tor.

Without more detail on specifics, it’s hard to know which way we ought to interpret the quote—with suspicion, as an innocent call for greater participation, or something else?

So what are we to make of the RT claim that “A privilege like this effectively gives the FBI all the time in the world to exploit the weak spot before it is fixed”?

Absent a weakness in Tor’s software (which was not identified in RT’s report), the claim remains unproven. Tor is free software so the FBI has no special advantage over others examining Tor’s source code. If Tor were proprietary (non-free software) RT’s claim here could be true: what any proprietary program does is secret. That secrecy is what gives proprietors an edge over their users, and why users should run nothing but free software on their computers.

What about Tor nodes that spy on the users? Didn’t Tor’s blog warn about this?

On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

More details are in that blog post including details of what was known at the time (including pointers to Tor software updates that fix known problems). But the underlying problem remains the same: Tor’s problems are still better addressed with software freedom fully intact and recognized for the huge ethical and practical advantages it brings over non-free software.

Any organization (including the FBI) could work toward adding tracking software (Javascript-based, or Flash-based, for instance) to websites such that most visitors will end up picking up the tracker in normal website browsing. This wouldn’t indicate a hole in Tor per-se, as Tor is not intended to do anything to website malware. In fact, one might look at this exploitation in another way: this approach to undermining the privacy Tor grants may suggest Tor is doing its job of disguising the network locations of its users quite well, thus compelling spy agencies to look for other means to effectively spy on Tor users.

Isn’t it possible there is a genuine weakness in Tor despite being free software?

Sure; we already knew that Tor had genuine weaknesses which were fixed. And it’s possible the upcoming report referred to in RT’s report and Surveillance Valley will reveal more genuine weaknesses in Tor. But we ought not judge things by fear; we should demand evidence. The details backing up the claims in this report have yet to be published. This report contains no actionable clues to help us understand why we should fear Tor or look at Tor as broken beyond repair.

When weaknesses are found users are still better off with a free software program than with non-free software because users have options on how to get the software fixed. They can wait for an update from the Tor developers, they can get involved and learn the details and apply a fix themselves, they can hire someone they trust to do this work for them. Compare that to non-free software where the only options are to quit running the non-free software or to wait for the proprietor (the very party users can’t trust) to ‘fix’ the problem.

E-waste versus Microsoft

RT showed the story of a California-based Eric Lundgren who offered copies of Microsoft OS restore discs — a disc used to install a new copy of an operating system on a computer — thus allowing someone to keep using their old computer instead of buying a new computer.

Lundgren said that he did nothing wrong; systems running Microsoft Windows slow down over time, his service allowed users to experience a faster computer by reinstalling the operating system on the computer thus restoring its performance like when the computer was new. Microsoft said Lundgren committed copyright infringement.

Lundgren could have avoided this kerfuffle and helped his users escape from Microsoft’s spying grasp at the same time by helping his users install a free software operating system (such as any of the free OSes listed here) instead of perpetuating his user’s dependency on proprietary software. This would have completely avoided the complaint with Microsoft, helped users liberate themselves from user-subjugating software (which often contains malware) published by a known NSA partner and spy. We don’t know what most of Microsoft’s software does because it is proprietary, so we have to fall back on examining the programs by how they behave and what relationships Microsoft cultivates with other organizations.